The 11 scoring criteria

1 - Authentication
2 - Authorization
3 - User’s Input Sanitization
4 - Error Handling and Information leakage
5 - Passwords/PIN Complexity
6 - User’s data confidentiality
7 - Session mechanism
8 - Patch management
9 - Administration interfaces
10 - Communication security
11 - Third-Party services exposure

3 commentaires:

Ricardo a dit…

There is a important criteria that is missing: Auditory (log recording)

Anonyme a dit…

I'm not sure I agree with the category name "User Input Sanitization." What exactly do you mean by this? It does seem to imply that we should "sanitize" or remove "bad" characters from user supplied input. I'm guessing you're saying this to avoid stuff like SQL injection or XSS. Can I suggest "Data Input and Output Formatting?"

Admin a dit…

Thanks a lot for your suggestions

For now, I collect all suggestions and I will release a version 1.1 soon with fixes, more FAQ and improvements. One of the most frequent suggestion is to define the way to proceed when more than one vulnerability is found under one criteria : add or limit?

ricardo :
I fully agree that logs monitoring is one of the most essential things in IT security. CCWAPSS aims to score webapps exclusively regarding "offensive/pentest” point of view. Even if an accurate log system is set, logs will not prevent a hacker to break into the webapp.
That's why I did not choose logs as an evaluation criteria.

Anonymous :
Output formatting, that's a good question. When we wrote CCWAPSS we had in mind that SQL Injection will be scored on the "User Input" side and XSS on the "Error Message" side. I will fix that point in the next release.

All contributors nale will be greeted in the contributor list.

Cheers all !